Business Resources for Counsellors

GDPR for counsellors in private practice

By Kiku

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. Basically, if you or an organisation collects personal data on any persons in the UK, then you have a responsibility to protect the rights of that person in accordance with the regulation.

When running a therapy business you will need to collect and store both personal data (client contact details, GP details and emergency contact details) and sensitive data (clinical notes, treatment plans, email correspondence) in relation to your clients.

Under GDPR, 2018 therapists in private practice are classed as data controllers because we determine how our counselling client data is collected and stored while providing our service.

It’s therefore really important that we understand our obligations under GDPR and shape our private practice counselling policies and procedures accordingly, to ensure that all data remains private and that we are treating our clients fairly in line with this legislation.

Wooden dice with letters spell out the phrase "Know Your Rights"

What are our counselling clients' rights under GDPR?

The key rights of your clients and their data protected by GDPR, in a nutshell, are:

  • To be informed
  • The right of access
  • To rectification of records
  • To ‘erasure’
  • To restrict processing
  • To data portability
  • To object
A wooden Judge's gavel lies at 45 degrees against a blue background

1. The Right to be Informed

At the start of therapy you'll need to tell clients what information you will be collecting, why you need this data and how you will use it in your practice; how clients can modify it, access it, retract consent to hold and process their records and raise a complaint if they wish to do so. 

Ideally this should be communicated in writing as well as explained verbally in session. It's good practice to obtain consent at this point, either written or digital, alongside their agreement to your terms of business.

We've put together a client agreement template for you to help with this.


2. The Right of Access

You'll need to make sure your clients know that they have the right to view the data you hold on them (contact details & session notes) at any time. When setting up your counselling business and putting your policies and procedures together you'll need to think about how you would handle a right of access request, as the possible impact on the client when reading your clinical notes needs to be carefully considered on a case by case basis.

Laptop with a stack of papers on it sits ajar on a white desk. icons relating to online security and data protection are shown in a semi-circle above the term GDPR

3. The Right to Rectification

Your counselling clients have the right to request that you change any of your records that relate to them. Again you will need to have a policy in place for how you will handle such a request.

4. The Right to Erasure

Counselling clients can request that you delete all of the data that you hold upon them at any time. You do not have to comply with this request however if: you need to retain this data to continue providing your service; the data is required by a Court of Law; you require the data to establish, exercise or defend legal claims.

5. The Right to Restrict Processing

Your client can withdraw their consent to data processing  and storage at any time.

Photograph of a Judge's gavel on top of a bible on a wooden table

6. The Right to Data Portability

This means you will need to ask the permission of clients to be able to move their personal data from one system to another.

7. The Right to Object

Your counselling clients need to know they have the right to object to their data being used in any other way than that agreed at the start of the counselling process e.g. for marketing purposes. It's important that your counselling clients are not subject to automated decision making about their data. This is relevant if you are required to provide data to health insurance companies or employers, or in instances where a third party has requested access to your client's clinical notes (e.g. the police or solicitors).


Photograph of female therapist talking with a young, female counselling client in a consulting room

GDPR compliance in your counselling business

You are responsible for protecting the rights of your clients and their data. You'll need to ensure that you clearly communicate your data protection policy to your counselling clients, obtain their consent to this and store their data securely at all times. 

If you choose to keep paper records, these will need to be stored in a locked filing cabinet and personal contact details should be stored separately from your anonymised clinical notes.

If you use a practice management system, it should be GDPR compliant and you should communicate in clear terms to your clients all the necessary ways in which you collect and use their data.

The best practice management software will hold all of your client’s data securely in one place, automatically anonymise clinical notes and diary entries on your behalf and have a GDPR compliant archiving procedure in place.

Kiku was designed by counsellors who know your professional needs. Our practice management software for UK therapists is fully encrypted and both password and two-factor authentication protected to ensure that the client information we process and store is always safe and secure.

We've put together all of the GDPR document templates you'll need for your private practice counselling policies and procedures here.

Store your client data securely with Kiku

Try for free

Say goodbye to admin for 30 days, for free!

Start using Kiku for free today, no credit card needed and no strings attached. Simply choose your plan and find out how easy managing your practice can be.

Get started

This website uses cookies to ensure you get the best experience on our website. Please let us know your preferences.

Please read our Cookie policy.

Manage